With recent cyber security attacks, the “border defense” security protection mechanism has often penetrated and broken through, and the “borderless” security defense idea—Zero Trust was proposed. The device application sandbox deployment model is one of the four essential Zero Trust architecture device deployment models. The isolation of the application sandbox directly affects the security of trusted applications. Given the security risks, such as sandbox escape in the sandbox application, we propose a hybrid isolation model based on access behavior and give the formal definition and security characteristics of the model. The model dynamically determines the security identity of the subject according to the access behavior and controls the access operation of the application sandbox. Therefore, the sandbox meets the characteristics of autonomous security, domain isolation, and integrity, ensuring that the system is always in an isolated safe state and easy to use. Finally, we implement the security model based on the container and Linux security module, and test the network and disk performance of this model. What is more, we make security comparison experiments based on the same container escape vulnerability. The experimental results show that the security model proposed in this paper effectively enhances the security of the device application sandboxing deployment model in Zero Trust architecture, and has a better performance compared with Container‐SELinux.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.